Data Processing Agreement

Last updated: January 30, 2025

Overview

This page provides information about data processing in connection with CalNexus and how HanseNexus GmbH handles your data as a processor under the General Data Protection Regulation (GDPR).

CalNexus as Data Processor

When you use CalNexus, you (the user) are the data controller of your calendar data, and HanseNexus GmbH acts as the data processor. This means:

  • Data Controller: You determine what calendar data is collected and for what purposes
  • Data Processor: We process your calendar data solely on your behalf and according to your instructions
  • Processing: We do not use your data for our own purposes (except as necessary to provide the service)

Sub-Processors

To provide CalNexus, we engage the following sub-processors who may access or process your data:

Convex

Service: Database and backend infrastructure
Location: United States
Safeguards: EU-US Data Privacy Framework, Standard Contractual Clauses

Stripe

Service: Payment processing
Location: United States, Ireland
Safeguards: GDPR compliant, Standard Contractual Clauses

Google LLC

Service: OAuth authentication, Calendar API integration
Location: United States, Europe
Safeguards: GDPR compliant, EU-US Data Privacy Framework

Vercel Inc.

Service: Application hosting and CDN
Location: United States, Europe
Safeguards: GDPR compliant, Standard Contractual Clauses

All sub-processors are bound by data processing agreements that comply with GDPR Article 28 requirements.

Data Processing Locations

Your data may be processed in the following locations:

  • European Union (primary data storage)
  • United States (infrastructure and sub-processors with GDPR safeguards)

All international data transfers are protected by Standard Contractual Clauses (SCCs) or equivalent mechanisms approved by the European Commission.

Security Measures

We implement appropriate technical and organizational measures to ensure data security, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication
  • Regular security audits
  • Incident response procedures
  • Employee confidentiality obligations
  • Data minimization and pseudonymization where applicable

Our Obligations as Processor

As your data processor, we commit to:

  • Process data only as instructed by you
  • Ensure confidentiality of data
  • Implement appropriate security measures
  • Assist with data subject rights requests
  • Assist with data protection impact assessments if required
  • Delete or return data upon termination of service
  • Make available all information necessary to demonstrate compliance

Data Subject Rights

You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data. To exercise these rights, see our Privacy Policy or contact service@hansenexus.de.

Data Breach Notification

In the event of a personal data breach, we will notify you without undue delay and within 72 hours of becoming aware of the breach, providing all necessary information to meet your GDPR obligations.

Requesting a Formal DPA

If you are a business customer or require a formal Data Processing Agreement for compliance purposes, please contact us:

Email: service@hansenexus.de
Subject: Data Processing Agreement Request

Please include your company name, contact information, and any specific requirements.

Contact

For questions about data processing or to exercise your rights:

service@hansenexus.de
HanseNexus GmbH, Eidelstedter Weg 2, 20255 Hamburg, Germany